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AIPA 99 Theme Relevance: Tools and Technologies for Intelligence Community Analysts 

Description: 

The primary goal of Onion Routing is to provide private, traffic analysis resistant communications 
over a public network at reasonable cost and efficiency. Communications are intended to be private in 
the sense that both the public network itself and any eavesdropper on the network cannot determine 
the contents of messages flowing from Alice and Bob, and she cannot tell that Alice and Bob are 
communicating with each other. A secondary goal is to provide anonymity to the sender and receiver, 
so that Alice may receive messages but be unable to identify the sender, even though she may be able 
to reply those messages. For example, open source intelligence gathering via the web and pseudonym 
based email communications that hide the true identities of both sender and receiver. 

Onion Routing operates by dynamically building anonymous connections within a network of 
onion routers. These are (roughly) real-time Chaum Mixes. A Mix is a store-and-forward device that 
accepts a number of fixed-length messages from numerous sources, performs cryptographic 
transformations on the messages, and then forwards the messages to the next destination in an order 
not predictable from the order of inputs. A single Mix makes tracking of a particular message either by 
specific bit-pattern, size, or ordering with respect to other messages difficult. By routing through 
numerous Mixes in the network, determining who is talking to whom is made even more difficult. 
Onion Routing's network of core onion routers (Mixes) is distributed, fault-tolerant, and under the 
control of multiple administrative domains, so no single onion router can bring down the network or 
compromise a user's privacy, and cooperation between compromised onion routers is thereby 
confounded. Note that, unlike a Mix, onion routers pass information in real time. A Mix can store 
messages for an indefinite amount of time waiting to receive an adequate number of messages to mix 
together. The real-time constraint on Onion Routing limits this mixing and is one of the important 
differences between onion routers and Mixes. 

Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy- 
aware applications, without modification to the applications. Protocols supported by the second- 
generation system include HTTP, FTP, SMTP, rlogin, telnet, NNTP, finger, whois, and raw sockets. 
Proxies are under development for Socks5, DNS, NFS, IRC, HTTPS, SSH, and Virtual Private Networks 
(VPNs). A proxy has three logical layers: an optional application specific privacy filter that sanitizes 
the data streams; an application specific proxy that translates the data streams into an application 
independent format accepted by the Onion Routing (OR) network, including the structuring of 
information into fixed size cells; and lastly, an onion proxy that builds and manages the anonymous 
connections. Because it builds and manages the anonymous connections, the onion proxy is the most 
trusted component in the system. Also, to build onions and hence define routes the onion proxy must 
know enough about the topology and link state of the network, the public certificates of nodes in the 
network, and the exit policies of nodes in the network. This information is distributed securely within 
the network automatically as new nodes come on-line or as the information changes. 

Status: 

An initial design has been implemented and fielded to demonstrate the feasibility of the approach. 
This prototype has attracted substantial and increasing usage over the past year and a half. At this 
writing, over one million connections per month are being processed from thousands of IP addresses in 
more than twenty countries and all six major top level domains. This demonstrates both an interest in 
the service, and the feasibility of the approach. However, the initial prototype lacked a number of 
features needed to make the system robust and scalable, and to resist insider attacks or more extensive 
eavesdropping. A design for a second-generation system that addresses these issues is complete, and 
its implementation is expected to be completed in early 1999. 

Operational Use: 

Information on using the testbed network and further reading on the subject is available from our 
website: http:/ / www.onion-router.net/ 



